So this is a configuration linter; what I was hoping it might be is something that provides live auditd notices for when a tailscale user connects by SSH to a common "admin" account.

The tailscale daemon definitely knows which user it is making the connection, as it publishes that info into the journal and I've seen people scrape it out of there, but I'd much rather it go through a structured reporting pipeline. AFAICT, tailscale itself provides several things that look like they're this, but aren't quite the right thing, for example https://tailscale.com/kb/1203/audit-logging is about logging changes to the tailnet itself (eg adding nodes), and https://tailscale.com/kb/1246/tailscale-ssh-session-recordin... is recording the ssh sessions rather than simple events for XYZ logged in / XYZ session idle / XYZ disconnected.

(And yes, I know people have opinions about common admin accounts, but tailscale is another route into what FB described as far as everyone accessing the same root account but doing so with their own credentials [good!] rather than a shared key [very bad!]: https://engineering.fb.com/2016/09/12/security/scalable-and-...)

Will this also work with Headscale [1]?

[1] https://headscale.net/ | https://github.com/juanfont/headscale

This is what I've been looking for. I love Tailscale, but as our tailnet has grown from "just me and a few servers" to "entire engineering team + prod/staging/dev environments," the ACL file has become terrifyingly long.

I always have this low-level anxiety that I accidentally left a tag too open or messed up a source/destination rule in the HuJSON. Anyone else? The fact that this can run in CI/CD is a huge win.

Maybe a dumb question, but is there any reason or incentive for Tailscale to not run something like this for every user, or atleast offer a "scan now" button or something? I love the idea of this tool and will for sure be using it, just would like to see something like this native to the platform itself. Seems on brand for them, and it's not like they offer paid security audits or anything

Very nice! As a two-user household I was surprised I am not supposed to use tags for user devices: https://tailscale.com/kb/1068/tags

How am I supposed to work with user devices (laptop/phone) then if not tags? Because from the Laptop I want the user (me) to be able to use e.g. the SSH ports on my servers, but from the phone I don't want SSH enabled.

I currently assign the tag SSH to the phone/laptop which either enables or disables SSH, now I am unsure because without tags I can only assign the user the tag?

I’ve been using Tailscale to connect remote edge devices into a single network, and one thing that’s always missing is good visibility into what’s actually happening on the tailnet.I hope Tailsnitch will fit that gap nicely if it makes traffic patterns explicit without turning into a heavyweight security product. For setups with distributed devices, this kind of local, understandable observability is really valuable, especially when you want to debug or sanity-check access instead of just trusting that everything is fine.

Hahaha, I love it. But also, a security tool you're going to be using against your core infrastructure should probably not be a random binary that you also tell users to strip quarantine off of to use: `sudo xattr -rd com.apple.quarantine`. Sigh at the state of running stuff on macOS sometimes.

All joking aside, this looks great. Is there a plan to allow for "custom checks" with custom rules users create? Think of "never should happen" access from a to z, etc.

Very cool! Does it check for https://github.com/tailscale/tailscale/issues/11717 ?

I'm probably not 100% up to date with their progress (feel free to educate me/us), but to me Tailscale seems perfect for a small startup of highly competent people but has the risk of falling apart catastrophically when you grow and hire people who maybe aren't.

I just use the free version at home. The mere existence of this tool feels a bit like validation of my skepticism.